Version 1.0. Last updated: 13 April 2026.
Data Retention & Deletion
PatchMon keeps your data only as long as we need to run the service and meet our legal obligations. This page is the plain-English summary. The full policy is available to customers and auditors on request.
Our principles
- Keep the minimum needed to run the service.
- Keep it only as long as needed.
- Delete it when the time is up, unless a law or a legal hold requires otherwise.
- Let you export or delete your data at any time.
How long we keep things
| Data | How long | Why |
|---|---|---|
| Your account and the data you push through PatchMon | Life of account + 30 days | So we can restore an account closed in error. Deleted sooner on written request. |
| Login records and session history | 12 months | So we can investigate suspicious activity on your account. |
| Audit logs (who did what in PatchMon) | 12 months | Your own audit trail and ours. |
| Application and access logs | 90 days | Operational troubleshooting. |
| Encrypted database backups | 30 days | Disaster recovery. Deleted data ages out of backups within 30 days. |
| Host image backups | 14 days | Server-level recovery. |
| Invoices and billing records | 6 years | UK tax and company law require us to keep these. |
| Support correspondence | 3 years after ticket closed | Context for recurring issues and any follow-up. |
| Security and incident records | 6 years | Legal limitation period, insurer requirements, pattern analysis. |
| Newsletter subscription | Until you unsubscribe | We keep a suppressed-email list (hashed) so we do not email you again. |
What “deletion” means at PatchMon
When we delete data, we remove it from live systems. Encrypted copies may remain in backups for up to the backup window (30 days for databases, 14 days for host images). During that time the data is not accessible to anyone operationally; it simply has not yet aged out of the rolling backup cycle.
If we ever have to restore from backup, deletion requests are re-applied as the first post-recovery action.
Physical media is destroyed at end of life using methods compliant with NIST SP 800-88 Rev. 1, and we retain certificates of destruction for 6 years.
Your rights
You can at any time:
- Export your data from inside PatchMon Cloud (users, hosts, patch history, audit logs) using the built-in export feature.
- Ask us to delete your data by emailing support@patchmon.net. We acknowledge within 2 business days and complete most requests within one month.
- Exercise your UK GDPR rights including access, rectification, erasure, restriction, portability, and objection. See our GDPR page for the full list and how we handle each.
When are we the controller, and when the processor?
For your account-holder data (your name, work email, login records), PatchMon LTD is the controller. We decide how that data is used and we respond directly to data-subject requests.
For the operational data you push into PatchMon (managed host lists, IP addresses, OS users, package inventories, patch history), you are the controller and PatchMon LTD is the processor acting on your documented instructions. If one of your users wants their data erased from PatchMon, the request is routed to you as their controller, and we support your action within 10 business days.
Self-hosted PatchMon
If you run PatchMon PRO or Community Edition on your own infrastructure, you decide your own retention and deletion policies. PatchMon software exposes settings for log retention, soft-delete windows, and scheduled purges. PatchMon LTD does not hold your operational data in that case; our role is as software provider only.
Legal holds
In the event of actual or anticipated litigation, regulatory investigation, or other formal legal process, PatchMon LTD may be required to preserve specific records beyond their normal retention. In that case we suspend automated deletion of the affected records until the hold is released in writing.
Questions or a request
Export, deletion, or access requests: support@patchmon.net
Data-protection questions: dataprotection@patchmon.net
Live security incidents: incidents@patchmon.net
You also have the right to lodge a complaint with the UK Information Commissioner's Office. ico.org.uk. PatchMon LTD ICO registration: CSN4642152.